Hackers exploited remote access that had no multifactor authentication
UHG states it paid ransom to protect patient data
UnitedHealth Group (UHG) issued a statement yesterday, claiming they were announcing support for people who might be concerned about their personal data being affected by the massive Change Healthcare data breach. Their statement says, in part:
Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America. To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.
Although it may be months before individuals receive notification letters, patients can get information and enroll in complimentary credit monitoring and identity theft protection services now. Details are available at http://changecybersupport.com/. The company also writes:
The company, along with leading external industry experts, continues to monitor the internet and dark web to determine if data has been published. There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time.
But as DataBreaches.net reports, in addition to the screencaps that had been posted as proof of claims, there were two onion URLs that linked to files and data. Those onion URLs were online and available. Did the links to the files work at that time? UHG makes no mention of those onion URLs.
In related news, CNBC obtained a statement from UHG confirming that it had paid ransom:
“This attack was conducted by malicious threat actors, and we continue to work with the law enforcement and multiple leading cyber security firms during our investigation,” UnitedHealth told CNBC in a statement. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”
The company did not specify the ransom payment amount.
Although the company did not clarify whether it was talking about the alleged initial ransom payment of $22 million or a new ransom demanded by RansomHub for the 4TB of data an affiliate stole as part of the attack, it seems likely they are talking about the RansomHub demand, as the data were removed after initially being listed.
Was UHG Negligent?
Other news revealed this week about the breach is likely to cause additional significant financial headaches for UHG. The Wall Street Journal reported:
The hackers who attacked UnitedHealth Group’s Change Healthcare unit were in the company’s networks for more than a week before they launched a ransomware strike that has crippled vital parts of the U.S. healthcare system since February.
The attackers, who represented themselves as the ALPHV ransomware gang or one of its affiliates, gained entry into Change’s network on Feb. 12, a person familiar with the cyber investigation said. They used compromised credentials on an application that allows staff to remotely access systems, the person said.
Multifactor authentication protocols are typically used to guard against such breaches, including the use of text-message codes or access tokens keyed to individual users. MFA wasn’t enabled on this particular application, the person said.
Taking advantage of unsecured Remote Desktop Protocol is a well-known and common means of gaining access to a target’s system. Lawyers filing suit against UHG/Change Healthcare will almost certainly frame this as negligence on the firm’s part.